Getting Data In
Provide Splunk Cloud feedback in this confidential UX survey by June 17
for a chance to win a $200 Amazon gift card!

file montoring on universal forwarder from splunk server

lalit_mohan
Path Finder

Hi Guys,

I have two instances on microsoft azure environment one is splunk-server and other is splunk-forwarder(universalForwarder). Everything is fine with configuration ,then I tried to monitor tomcat logs and I have perform below steps on forwarder.

/usr/share/splunk_setup/splunkforwarder/bin/splunk add monitor /usr/share/apache-tomcat-7.0.42/logs/catalina.out -index default -sourcetype log4j -hostname splunkforwarder

But in search tab of splunk-web I always get No results found.
search-query: host=splunkforwarder sourcetype=log4j

Am I missing something !!!.Please help me out. Thanks in advance!!

Tags (2)
0 Karma

lalit_mohan
Path Finder

Hi somesoni2,

Thanks for your kind support!!

My problem is solved ,now I am able to monitor my splunkforwarder tomcat log file on splunk-server dashboard

I added following lines:

In ...splunkforwarder/etc/system/local/inputs.conf :
[monitor:///usr/share/apache-tomcat-7.0.42/logs/catalina.out]
index = default
sourcetype=log4j

In ...splunkforwarder/etc/system/local/outputs.conf :

forwardedindex.0.whitelist = .
forwardedindex.1.whitelist = _.
[tcpout:default_index] server=splunkserver.cloudapp.net:9997

somesoni2
Revered Legend

I don't see any entry for your file, and may be that is the reason its not sending any data. (not sure why CLI command didn't work). Try adding following to your splunkforwarder\etc\system\local\inputs.conf, at the end

[monitor://usr/share/apache-tomcat-7.0.42/logs/catalina.out]

index = default

sourcetype=log4j

lalit_mohan
Path Finder

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0
start_by_shell = true

[SSL]

default cipher suites that splunk allows. Change this if you wish to increase the security

of SSL connections, or to lower it if you having trouble connecting to splunk.

cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
allowSslRenegotiation = true

0 Karma

lalit_mohan
Path Finder

[batch://$SPLUNK_HOME/var/spool/splunk]
move_policy = sinkhole
crcSalt =

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_new]
queue = stashparsing
sourcetype = stash_new
move_policy = sinkhole
crcSalt =

[fschange:$SPLUNK_HOME/etc]

poll every 10 minutes

pollPeriod = 600

generate audit events into the audit index, instead of fschange events

signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

0 Karma

lalit_mohan
Path Finder

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/local/inputs.conf
[default]
host = splunkforwarder

Default one is quite long one.So i will be sending it in parts.

[root@splunkforwarder ~]# cat /usr/share/splunk_setup/splunkforwarder/etc/system/default/inputs.conf

[default]
index = default
_rcvbuf = 1572864
host = $decideOnStartup

[monitor://$SPLUNK_HOME/var/log/splunk]
index = _internal

[monitor://$SPLUNK_HOME/etc/splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

0 Karma

somesoni2
Revered Legend

Could you please post your inputs.conf file in the forwarder. (mostly splunkforwarder/etc/system/local, if not found here, check splunkforwarder/etc/system/default)

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!